Cabrillo Club
Platform
Proof
Pricing
Talk to a founder
Cabrillo Club

Seven private AI products for government contractors. Find. Win. Deliver. Protect.

Products

  • Signals
  • ProposalOS
  • CalibrationOS
  • FinanceOS
  • Platform & roadmap

Solutions

  • Defense & GovCon
  • Your Business
  • Membership
  • Pricing

Resources

  • Insights
  • Tools
  • Community
  • CMMC Assessment

Company

  • About
  • Team
  • Proof
  • Contact

© 2026 Cabrillo Club LLC. All rights reserved.

PrivacyTermsCookiesDo Not Sell or Share
  1. Home
  2. Insights
  3. Pentagon task force to review CMMC hits the ground running
Compliance & Risk

Pentagon task force to review CMMC hits the ground running

The Department of Defense has launched a task force to conduct a comprehensive 60-day review of the entire CMMC program and has paused Phase 2 requirements that were set to take effect November 10, 2026.…

Cabrillo Club

Cabrillo Club

Editorial Team · July 17, 2026 · 4 min read

Share:LinkedInX

Cabrillo Club Insights

Pentagon task force to review CMMC hits the ground running

Also in this intelligence package

Segment Impact

Deep dive into how this impacts each market segment.

Read report →
Action Kit

Actionable checklists and implementation guidance.

Read report →

CMMC program update — July 13, 2026

The Department of War has suspended CMMC Phase 2 requirements pending a 60-day program review. Phase 1 self-assessments, SPRS scores, and DFARS 252.204-7012 safeguarding obligations remain fully in force. Certification dates and third-party assessment requirements referenced in this article may change when the review concludes. Read the DoW release

In This Guide
  • TL;DR
  • Key Points
  • Who Is Affected
  • Frequently Asked Questions
  • Definitions
  • Intelligence Response

TL;DR

The Department of Defense has launched a task force to conduct a comprehensive 60-day review of the entire CMMC (Cybersecurity Maturity Model Certification) program and has paused Phase 2 requirements that were set to take effect November 10, 2026. The review will examine all aspects of CMMC, including NIST framework requirements, DFARS (Defense Federal Acquisition Regulation Supplement) requirements, and the cyber threat landscape, and it could result in outcomes ranging from minor program tweaks to a complete overhaul. DOD has issued an RFI soliciting feedback from defense contractors on compliance burden and commercial cyber solutions. Final recommendations are expected approximately 75 days from the task force's July 17 kickoff. Immediate implications: enforcement timing for Phase 2 is in flux, contractors should prepare to respond to the RFI and preserve compliance workstreams, and capture priorities and bid timing may shift as evaluation criteria evolve.

Key Points

  • What happened: The DoD (Department of Defense) launched a task force for a 60-day comprehensive review of the CMMC program and paused Phase 2 requirements that had been scheduled to take effect November 10, 2026; DoD issued an RFI and expects final recommendations ~75 days from the task force July 17 kickoff.
  • Who is affected: NAICS codes 334111, 334118, 334290, 334511, 336411, 336412, 336413, 336414, 336415, 336419, 541330, 541511, 541512, 541513, 541519, 541715, 561210; agencies: DOD / Department of Defense / DFARS; contract vehicles: OASIS+, STARS III, SEWP, GSA (General Services Administration) MAS, 8(a) STARS III; market segments: Defense, Cybersecurity, IT Services, Defense Industrial Base, Aerospace and Defense, Manufacturing, Professional Services, Managed Security Services; compliance surfaces: CMMC, CMMC 2.0, NIST 800-171 (NIST Special Publication 800-171) / NIST SP 800-171 (NIST Special Publication 800-171), DFARS 252.204-7012, DFARS, NIST 800-172.
  • Timeline: 60-day review with Phase 2 pause; RFI issued; final recommendations expected approximately 75 days from the July 17 kickoff.
  • What contractors should do NOW: Pause irreversible Phase 2 expenditures tied strictly to the enforcement date, preserve documentation of current compliance efforts, assemble factual input for the DoD RFI, rescore pipeline opportunities and near-term capture plans, notify internal stakeholders, and stand up monitored saved searches for solicitations and policy updates.

Who Is Affected

The review affects defense contractors and suppliers across the Defense and related market segments who participate in contracts and solicitations tied to CMMC/NIST/DFARS compliance. Specific NAICS codes, agencies, and contract vehicles are listed in Segmentation and should be treated as priority monitoring targets:

  • NAICS: 334111, 334118, 334290, 334511, 336411, 336412, 336413, 336414, 336415, 336419, 541330, 541511, 541512, 541513, 541519, 541715, 561210
  • Agencies: DOD, Department of Defense, DFARS
  • Contract vehicles: OASIS+, STARS III, SEWP, GSA MAS, 8(a) STARS III
  • Compliance regimes: CMMC, CMMC 2.0, NIST 800-171 / NIST SP 800-171, DFARS 252.204-7012, DFARS, NIST 800-172

Frequently Asked Questions

Q: Does the pause on Phase 2 mean CMMC is eliminated?

A: Pending source review. The Summary states Phase 2 requirements are paused and that the task force outcomes could range from minor tweaks to a complete program overhaul; it does not state elimination.

Q: Are the Phase 2 requirements delayed and until when?

A: The Summary says Phase 2 requirements that were set to take effect November 10, 2026 are paused while DoD conducts a 60-day review. Final recommendations are expected approximately 75 days from the task force's July 17 kickoff. For operational decisions, treat enforcement timing as in flux pending formal DoD guidance.

Q: How should contractors respond to the RFI?

A: DoD has issued an RFI soliciting feedback on compliance burden and commercial cyber solutions. Contractors should prepare factual, costed input and examples of operational impacts; specific submission instructions and deadlines are pending source review from the RFI text.

Definitions

  • CMMC: Cybersecurity Maturity Model Certification — the DoD program for assessing contractor cybersecurity maturity referenced in the Title and Summary.
  • NIST framework requirements / NIST SP 800-171 / NIST 800-172: National Institute of Standards and Technology publications referenced in the Summary as part of the review scope.
  • DFARS / DFARS 252.204-7012: Defense Federal Acquisition Regulation Supplement items called out in the Summary for review.
  • RFI: Request for Information — DoD has issued an RFI to solicit contractor feedback as described in the Summary.
  • Phase 2: The phase of CMMC referenced in the Summary that was set to take effect November 10, 2026 and is now paused.

Intelligence Response

  • Cabrillo products to leverage:
  • Cabrillo Signals War Room — Already detected this event and delivered this briefing. Use it to continuously monitor official DoD channels, policy updates, and RFI notices related to the review.
  • Cabrillo Signals Match Engine — Rescore current opportunity pipelines and capture priorities to reflect pause of Phase 2 and potential shifting evaluation criteria.
  • Cabrillo Signals Intelligence Hub — Track the named NAICS codes, the DOD/DFARS agency signals, and listed contract vehicles (OASIS+, STARS III, SEWP, GSA MAS, 8(a) STARS III); set saved searches and alerts for SAM.gov (System for Award Management) and policy updates.
  • Proposal Studio (Proposal OS) — Prepare compliant RFI responses and update compliance matrices and win themes to reflect potential changes.
  • Proposal Studio Workflow Tracker — Route RFI response drafts and capture decisions through an audit-ready 9-gate workflow.
  • Who to notify:
  • Capture Lead — immediate bid/capture posture implications and opportunity rescoring.
  • CISO / Security Compliance Lead — preservation of compliance artifacts and assessment of compliance posture.
  • Proposal Manager — coordinate RFI input and near-term solicitations.
  • CEO / Executive Sponsor — strategic implications for pipeline and investment decisions.
  • First 48-hour response playbook:
  • Hour 0-4: Issue internal alert using Cabrillo Signals War Room brief; notify Capture Lead, CISO, Proposal Manager, and Executive Sponsor.
  • Hour 4-12: Use Cabrillo Signals Intelligence Hub to run saved searches on the listed NAICS codes, agencies, and contract vehicles; flag active solicitations in pipeline.
  • Hour 12-24: Run automated opportunity rescoring in Cabrillo Signals Match Engine; update bid/no-bid decisions and capture priorities.
  • Hour 24-48: Assemble RFI response team and draft input using Proposal Studio (Proposal OS); route drafts through Proposal Studio Workflow Tracker for compliance review and executive sign-off.

Related reference links:

  • Primary hub: CMMC Compliance Guide (/insights/cmmc-compliance-guide)
  • Related guides: CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide), Compliant AI Proposal Guide (/insights/compliant-ai-proposal-guide)

How ready are you for CMMC?

Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.

Check Your CMMC Readiness

or try our free CMMC Cost Estimator→

Cabrillo Club

Cabrillo Club

Editorial Team

Cabrillo Club is a defense technology company building AI-powered tools for government contractors. Our editorial team combines deep expertise in CMMC compliance, federal acquisition, and secure AI infrastructure to produce actionable guidance for the defense industrial base.

TwitterLinkedIn

Continue reading

Segment Impact

Deep dive into how this impacts each market segment.

Read report →
Action Kit

Actionable checklists and implementation guidance.

Read report →
Back to all articles

25-minute assessment. Custom implementation plan.

CMMC changed — read the status brief

Before you go — CMMC just changed

Phase 2 is suspended. Get the Program Status Brief: what changed, what still binds you, and what to do while the review runs.

No spam. Unsubscribe anytime.